Vulnerabilities ›

CVE-2026-24091

High

CWE-1286 — Weakness Type

                    Published: Jun 1, 2026                      ·  Modified: Jun 8, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

Memory corruption while processing fastboot commands with improperly formatted input.

🤖 AI Executive Summary

CVE-2026-24091 is a high-severity memory corruption vulnerability in Qualcomm fastboot command processing affecting multiple chipsets used in automotive, IoT, and connectivity devices. The vulnerability allows attackers to trigger memory corruption through malformed fastboot input, potentially leading to device compromise or denial of service. While no public exploit exists, the vulnerability impacts widely-deployed Qualcomm firmware across critical infrastructure and automotive sectors in Saudi Arabia.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 18:16

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi automotive sector (connected vehicles, autonomous systems), telecommunications infrastructure (STC, Mobily network equipment), and government IoT deployments. Qualcomm C-V2X and FastConnect chipsets are prevalent in Saudi Arabia's smart city initiatives, vehicle-to-infrastructure (V2I) systems, and 5G infrastructure. Energy sector (ARAMCO) IoT devices and healthcare connected medical devices using affected Qualcomm chipsets are also at risk. The memory corruption could enable remote code execution on critical infrastructure components.

🏢 Affected Saudi Sectors

Automotive (connected vehicles, V2I systems) Telecommunications (STC, Mobily infrastructure) Energy (ARAMCO IoT systems) Government (smart city initiatives) Healthcare (connected medical devices) Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1499 - Endpoint Denial of Service T1203 - Exploitation for Client Execution T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interpreter

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all devices using affected Qualcomm firmware versions (C-V2X 9150, Cologne, CQ7790, CQ8725S, CQ8750M, CSRA6620, CSRA6640, CSRB31024, FastConnect 6200/6700)

2. Isolate or restrict network access to affected devices pending patch deployment

3. Disable fastboot functionality where operationally feasible

4. Monitor for suspicious fastboot command attempts in device logs



PATCHING GUIDANCE:

5. Contact Qualcomm or device manufacturers for firmware updates addressing CVE-2026-24091

6. Test patches in non-production environments before deployment

7. Prioritize patching for automotive and critical infrastructure devices

8. Establish firmware update schedule for all affected devices



COMPENSATING CONTROLS:

9. Implement network segmentation to restrict fastboot protocol access

10. Deploy input validation and filtering at network boundaries

11. Enable device-level logging and monitoring for fastboot commands

12. Restrict physical access to devices with fastboot interfaces



DETECTION RULES:

13. Monitor for malformed fastboot commands in device logs and network traffic

14. Alert on unexpected fastboot command sequences or parameters

15. Track device crashes or unexpected reboots correlating with fastboot activity

16. Implement IDS/IPS signatures for malformed fastboot protocol packets

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع الأجهزة التي تستخدم إصدارات البرامج الثابتة المتأثرة من Qualcomm

2. عزل أو تقييد الوصول إلى الشبكة للأجهزة المتأثرة قبل نشر التصحيح

3. تعطيل وظيفة fastboot حيث يكون ذلك ممكناً من الناحية التشغيلية

4. مراقبة محاولات أوامر fastboot المريبة في سجلات الجهاز

إرشادات التصحيح:

5. الاتصال بـ Qualcomm أو مصنعي الأجهزة للحصول على تحديثات البرامج الثابتة

6. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر

7. إعطاء الأولوية لتصحيح أجهزة السيارات والبنية التحتية الحرجة

8. إنشاء جدول تحديث البرامج الثابتة لجميع الأجهزة المتأثرة

الضوابط البديلة:

9. تنفيذ تقسيم الشبكة لتقييد الوصول إلى بروتوكول fastboot

10. نشر التحقق من صحة الإدخال والتصفية على حدود الشبكة

11. تفعيل السجلات والمراقبة على مستوى الجهاز لأوامر fastboot

12. تقييد الوصول المادي إلى الأجهزة ذات واجهات fastboot

قواعد الكشف:

13. مراقبة أوامر fastboot المشوهة في سجلات الجهاز وحركة المرور على الشبكة

14. تنبيه على تسلسلات أو معاملات أوامر fastboot غير المتوقعة

15. تتبع أعطال الجهاز أو إعادة التشغيل غير المتوقعة المرتبطة بنشاط fastboot

16. تنفيذ توقيعات IDS/IPS لحزم بروتوكول fastboot المشوهة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.12.3.1 - Segregation of networks

🔵 SAMA CSF

ID.RA-1 - Asset management and vulnerability identification PR.IP-12 - Secure software development practices DE.CM-8 - Vulnerability scans and assessments RS.MI-2 - Incident response and mitigation

🟡 ISO 27001:2022

A.12.2.1 - Change management A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.12.3.1 - Segregation of networks

🟣 PCI DSS v4.0.1

Requirement 6.2 - Security patches and updates Requirement 11.2 - Vulnerability scanning

🔗 References & Sources 1

🔗

https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2026-bulletin.html

product-security@qualcomm.com

Patch Vendor Advisory

📦 Affected Products / CPE 50 entries

qualcomm:c-v2x_9150_firmware:-

qualcomm:cologne_firmware:-

qualcomm:cq7790_firmware:-

qualcomm:cq8725s_firmware:-

qualcomm:cq8750m_firmware:-

qualcomm:csra6620_firmware:-

qualcomm:csra6640_firmware:-

qualcomm:csrb31024_firmware:-

qualcomm:fastconnect_6200_firmware:-

qualcomm:fastconnect_6700_firmware:-

qualcomm:fastconnect_6800_firmware:-

qualcomm:fastconnect_6900_firmware:-

qualcomm:fastconnect_7800_firmware:-

qualcomm:flight_rb5_5g_platform_firmware:-

qualcomm:fsm100_platform_firmware:-

qualcomm:fwa_gen_3_ultra_firmware:-

qualcomm:fwa_gen_5_elite_firmware:-

qualcomm:g1_gen_1_firmware:-

qualcomm:g2_gen_1_firmware:-

qualcomm:g3x_gen_2_firmware:-

qualcomm:iq-9075_firmware:-

qualcomm:kalpeni_firmware:-

qualcomm:kobuk_firmware:-

qualcomm:lemans_au_lgit_firmware:-

qualcomm:lemansau_firmware:-

qualcomm:milos_firmware:-

qualcomm:milos_iot_firmware:-

qualcomm:molokai_firmware:-

qualcomm:netrani_firmware:-

qualcomm:orne_firmware:-

qualcomm:palawan25_firmware:-

qualcomm:pandeiro_firmware:-

qualcomm:qam8255p_firmware:-

qualcomm:qam8295p_firmware:-

qualcomm:qam8397p_firmware:-

qualcomm:qam8797p_firmware:-

qualcomm:qamsrv1h_firmware:-

qualcomm:qamsrv1m_firmware:-

qualcomm:qca2066_firmware:-

qualcomm:qca6174a_firmware:-

qualcomm:qdu1000_firmware:-

qualcomm:qdu1110_firmware:-

qualcomm:qdu1210_firmware:-

qualcomm:qdx1010_firmware:-

qualcomm:qdx1011_firmware:-

qualcomm:qep8111_firmware:-

qualcomm:qfw7114_firmware:-

qualcomm:qfw7124_firmware:-

qualcomm:qln1083bd_firmware:-

qualcomm:qln1086bd_firmware:-

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack VectorP — Physical

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-1286

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-06-01

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-1286

🏢 Vendor Advisories

🔗 https://docs.qualcomm.com/product/publicresources/se...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-24091

Introduce Yourself

Sign In Required